Back Up Using System Center Data Protection Manager

  • Article

Applies To: Windows Essential Business Server

System Center Data Protection Manager 2007 (DPM) is a server software application that enables disk-based and tape-based data protection and recovery for computers in and across Active Directory domains. DPM is designed to run on servers running Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2 with SP2, Windows Storage Server 2003 with SP2, or Windows Server 2008. DPM uses replication, the Volume Shadow Copy Service (VSS) infrastructure, and a policy-driven engine to protect and recover data.

DPM can be used to protect data that is generated and stored on servers running Windows EBS.

Important

DPM should not be installed on the Management Server, Security Server, or Messaging Server. It should be installed on a separate server that has adequate storage and backup capacity.

To plan your server configuration and capacity requirements for installing DPM on a Windows EBS network, refer to the following documents:

Installing and configuring System Center Data Protection Manager in a Windows Essential Business Server environment

You must complete several steps to install and configure DPM to protect a Windows EBS environment. Begin by installing DPM on a suitably configured server (as determined by reading the documentation listed in the previous section). Install DPM, connect the server to your network, and then join it to the Windows EBS domain by following the instructions in the DPM software documentation.

Important

It is recommended that you install DPM 2007 Service Pack 1 (SP1). DPM 2007 SP1 delivers additional functionality for the workloads that are protected by DPM, including system state backup for Windows Server 2008 and SQL Server 2008. You must install this service pack if you intend to use DPM to back up the system state of a server. For more information and to download the service pack, see Description of System Center Data Protection Manager 2007 Service Pack 1 (https://go.microsoft.com/fwlink/?LinkId=137147).

After you have installed DPM, log on to the DPM server by using an account with domain administrator privileges, and complete the following configuration steps:

  1. Configure Windows EBS.

    1. Disable circular logging for Exchange Server.

    2. Configure the Forefront TMG firewall on the Security Server to allow DPM communication.

    3. Configure your DPM server with Exchange binaries for integrity checking.

    4. Configure a Group Policy setting for Windows Firewall.

    5. Configure DPM to back up Windows SharePoint Services.

  2. Configure backup storage locations for the DPM storage pool.

  3. Install DPM agents on the Management Server, Security Server, and Messaging Server.

  4. Create DPM protection groups.

  5. Perform a system state backup by using DPM and a full system backup by using Windows Server Backup.

Configure Windows Essential Business Server

Disable Exchange Server circular logging

To use DPM, you must disable circular logging for protected Exchange Server storage groups. To learn more about disabling circular logging, refer to the article, "How to Enable or Disable Circular Logging for a Storage Group" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=105554).

To disable circular logging for a storage group

  1. Log on to the Messaging Server by using an account with domain administrator privileges, and start the Exchange Management Console.

    -or-

    From the Windows Essential Business Server Administration Console, click the Computers and Devices tab, click the name of the Messaging Server, and then in the tasks pane, click Exchange Management Console.

  2. In the console tree, expand Server Configuration, and then click Mailbox.

  3. In the work pane, right-click First Storage Group, and then click Properties. The First Storage Group Properties dialog box appears.

  4. Clear the Enable circular logging check box.

  5. Click OK.

  6. In the work pane, right-click the Second Storage Group, and then click Properties. The Second Storage Group Properties dialog box appears.

  7. Clear the Enable circular logging check box.

  8. Click OK.

  9. Do one of the following:

    • Restart the Microsoft Exchange Information Store service.

    • Dismount and then remount all of the databases in the storage group.

    Important

    Mailboxes and public folders on a server are unavailable to users while the Microsoft Exchange Information Store service is being restarted. Mailboxes and public folders in a database are unavailable while a database is being dismounted and remounted.

Configure the Forefront Threat Management Gateway firewall to allow DPM communication

The DPM agent uses various ports and protocols to connect with the DPM server. In Windows EBS, the Forefront TMG firewall on the Security Server needs to be configured to allow the DPM server to communicate through those ports. The complete list of ports that are used by DPM are documented at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=118620).

Use the following procedures to configure the Forefront TMG firewall to work with DPM:

  • Define protocols for DPM in Forefront TMG

  • Add a computer rule for the DPM server

  • Create an access rule for DPM traffic

  • Configure registry settings on the Security Server and the DPM server

To define protocols for DPM in Forefront TMG

  1. From the Windows Essential Business Server Administration Console, click the Security tab, click Network firewall, and then in the tasks pane, click Forefront Threat Management Gateway console.

  2. In the console tree, expand the node for the Security Server, and then click Firewall Policy.

  3. In the right pane, click Toolbox, expand Protocols, click New, and then click Protocol.

    The New Protocol Definition Wizard appears, and you can define a new DPM Agent Coordinator protocol (TCP, outbound, port range 5718) as follows:

    1. In the New Protocol Definition Wizard, type DPM Agent Coordinator, and then click Next.

    2. On the Primary Connection Information page, click New.

    3. In the New/Edit Protocol Connection dialog box, choose a Protocol type of TCP, a Direction of Outbound, and a Port Range (both From and To) of 5718. Click OK.

    4. Click Next twice, and then click Finish to close the New Protocol Definition Wizard.

  4. In the right pane, click New, and then click Protocol.

    The New Protocol Definition Wizard appears, and you can define a new DPM Protection Agent protocol (TCP, outbound, port range 5719).

  5. In the right pane, click New, and then click Protocol.

    In the New Protocol Definition Wizard, define a new DPM Dynamic Ports protocol (TCP, outbound, port range 50000-50050).

    Note

    You need approximately 50 ports in the unreserved dynamic port range between 49152 and 65535. For more information about this range, see the Internet Assigned Numbers Authority Web Site (https://go.microsoft.com/fwlink?LinkId=22654).

  6. In the right pane, click New, and then click RPC Protocol.

    The New RPC Protocol Definition Wizard appears, and you can define a new RPC Compliant DPM protocol as follows:

    1. In the New Protocol Definition Wizard, type DPM RPC, and then click Next.

    2. On the Select Server page, click Add interfaces manually.

    3. On the Adding Interfaces to the Protocol Definition page, click Add.

    4. In the Add/Edit Interfaces dialog box, under Interface UUID type {12345778-1234-abcd-ef00-0123456789ac}. Under Interface Name, type RPC for DPM, click OK, and then click Next.

    5. Click Finish to close the New RPC Definition Wizard.

  7. In the top pane, click Apply to save changes and update the configuration.

To add a computer rule element for the DPM server

  1. In the right pane of the Forefront TMG console, click Toolbox, expand Network Objects, click New, and then click Computer.

  2. In the New Computer Rule Element dialog box, type a Name for the DPM server, and then under Computer IP Address, type the server’s IP address. Click OK.

  3. In the top pane, click Apply to save changes and update the configuration.

To create an access rule for DPM traffic

  1. In the right pane of the Forefront TMG console, click Tasks, and then under Firewall Policy Tasks, click Create Access Rule.

  2. The New Access Rule Wizard appears. Type a name for the access rule (such as Allow DPM Traffic), and then click Next.

  3. On the Rule Action page, click Allow, and then click Next.

  4. On the Protocols page, under This rule applies to, choose Selected protocols, and then click Add.

  5. In the Add Protocols dialog box, expand All Protocols. Select each of the following protocols and click Add:

    • DPM Agent Coordinator

    • DPM Dynamic Ports

    • DPM Protection Agent

    • NetBIOS Datagram

    • NetBIOS Name Service

    • NetBIOS Session

    • Ping

    • RPC (all interfaces)

    • DPM RPC

    When you have finished adding the protocols, click Close.

    Turn off RPC filtering for RPC (all interfaces). Under Protocols, click RPC (all interfaces), and then click Edit. Click the Parameters tab, under Application Filters clear the check box for RPC Filter, click OK, and then click Next.

  6. On the Access Rule Sources page, click Add.

  7. In the Add Network Entities Dialog box, do the following:

    • Expand the Networks node, click Local Host, and then click Add.

    • Expand the Computers node, click the name of your DPM server, and then click Add.

    When you have finished adding network entities, click Close. Then click Next.

  8. On the Access Rule Destinations page, click Add.

  9. In the Add Network Entities Dialog box, do the following:

    • Expand the Networks node, click Local Host, and then click Add.

    • Expand the Computers node, click the name of your DPM server, and then click Add.

    When you have finished adding network entities, click Close. Then click Next.

  10. On the User Sets page, accept the default (All Users). Click Next, and then click Finish.

  11. Under All Firewall Policy, right-click the DPM access rule, and then click Properties.

  12. In the Properties dialog box, click Protocols, click RPC (all interfaces), click Filtering, and then click Configure RPC protocol.

  13. In the Configure RPC protocol policy dialog box, clear the Enforce strict RPC compliance check box. Then click OK twice.

  14. Under All Firewall Policy, if the DPM access rule is not the first listed, right-click the DPM access rule, and then click Move Up. Repeat until the rule is the first listed.

  15. In the top pane, click Apply to save your changes and update the configuration.

Warning

Use the following procedure to modify registry settings on the Security Server and the DPM server. Modify the registry with care. Serious system-wide problems might occur if you modify the registry incorrectly. To correct such problems, you may need to reinstall the operating system software on these servers.

To configure registry settings on the Security Server and the DPM server

  1. Log on to the server as domain administrator.

  2. Click Start, click Run, type regedit, and then click OK.

  3. In the left pane of Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc.

  4. Right-click the Rpc node, click New, and then click Key. Type Internet as the name of the key.

  5. Configure the following values for the Internet key:

    Name Type Data

    Ports

    REG_MULTI_SZ

    50000-50050

    PortsInternetAvailable

    REG_SZ

    Y

    UseInternetPorts

    REG_SZ

    Y

  6. To apply the registry settings, close Registry Editor and then restart the server.

Configure DPM server with Exchange Server binaries for integrity checking

For DPM to check data integrity on the Exchange Server database, it must run certain Exchange binaries on the DPM server.

To run the required Exchange Server binaries on the DPM server

  • Copy the files ese.dll and eseutil.exe from the Messaging Server at %SYSTEMDRIVE%\Program Files\Windows Mid-Market Server\Bin\EXCHSRVR80\Setup\ServerRoles\Common\ to <Drive>\Program Files\Microsoft DPM\DPM\Bin (where <Drive> is the hard drive where DPM is installed).

    Important

    If you chose a custom path during DPM install, make sure that you use the appropriate Bin folder for DPM.

    The versions of eseutil.exe and ese.dll that are installed on your Exchange Server must be the same as the versions that are installed on the DPM server.

    In addition, you must update eseutil.exe and ese.dll on the DPM server if they are updated on a computer running Exchange Server after you apply an upgrade or an update.

    For more information about updating eseutil.exe and ese.dll, see Protected Computer Software Prerequisites at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=105556).

Configure a Group Policy setting for Windows Firewall

For the DPM agent to communicate with DPM servers, you should configure the Windows Firewall: Allow inbound file and printer sharing exception Group Policy setting. You can create a Group Policy object (GPO) to configure this setting on the Management Server, Security Server, and Messaging Server.

To create a GPO to configure the Windows Firewall exception

  1. Log on to the Management Server as domain administrator.

  2. Click Start, point to Administrative Tools, and then click Group Policy Management.

  3. In the left pane of the Group Policy Management console, expand the Windows EBS forest.

  4. Under Domains, right-click the name of your domain and click Create a GPO in this domain, and link it here.

  5. In the New GPO dialog box, type a name for the GPO (such as Allow DPM File Sharing). Then click OK.

  6. Click the Linked Group Policy Objects tab, right-click the GPO that you created, and then click Edit.

  7. In the left pane of Group Policy Management Editor, navigate to Computer Configuration\Policies\Administrative Templates: Policy definitions (ADMX files) retrieved from local machine\Network\Network Connections\Windows Firewall\Domain Profile.

  8. In the right pane, under Setting, right-click Windows Firewall: Allow inbound file and printer sharing exception, and then click Properties.

  9. In the Properties dialog box, on the Setting tab, do the following:

    1. Select the Enabled option.

    2. Under Allow unsolicited incoming messages from these IP Addresses, type the IP addresses of the Management Server, Messaging Server, and Security Server (internal IP address). Separate the IP addresses with commas. Then click OK.

  10. Close Group Policy Management Editor.

  11. In the Group Policy Management console, under Domains, click the name of your domain.

  12. In the right pane, click the Linked Group Policy Objects tab, and click the GPO that you created.

  13. Move the GPO so that the Link Order for the GPO is less than the Link Order of the System Center Essentials All Computers Policy.

Group Policy settings are applied to the computers at regular intervals. To apply the settings immediately on the Management Server or the Messaging Server, open a Command Prompt window on the server for Windows EBS, and then type gpupdate /force.

Configure DPM to back up Windows SharePoint Services

Before you can use DPM to back up Windows SharePoint Services, you must start and configure the Windows SharePoint Services VSS Writer service (WSS Writer service).

For more information, see “Starting and Configuring the WSS Writer Service” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=135002).

Configure the DPM storage pool

Before you can back up your data, you must add at least one hard disk drive to the storage pool. DPM uses the hard disk drives that you add to store the backups.

Important

DPM cannot use space in a pre-existing volume on hard disk drives that are added to the storage pool. Even if a pre-existing volume on a storage pool hard disk drive has free space, DPM can use space only in volumes that it creates.

To make the entire hard disk drive space available to the storage pool, delete existing volumes on the hard disk drive, and then add the hard disk drive to the storage pool. Be sure that the hard disk drive that you plan to use for storing DPM data does not contain any data that you want to keep.

Note

DPM does not support hard disk drives with USB or 1394 interfaces.

To add a hard disk drive to the DPM storage pool

  1. Log on as a domain administrator or local administrator to the server running DPM, and start the DPM Administrator Console.

  2. Click Management, and then click the Disks tab.

  3. In the Actions pane, click Add. A list of the available hard disk drives on the DPM server appears.

  4. Select the hard disk drive that you want to add, and then click OK.

  5. Click Management, and then click the Disks tab. Verify that the hard disk drive you added is present in the list.

Install DPM agents on servers running Windows Essential Business Server

After installing and configuring your DPM server, you must install DPM agents on the servers running Windows EBS. The DPM installation disk provides an executable file named DPMAgentInstaller_AMD64.exe, which performs the following tasks:

  • Installs the protection agent prerequisites and the DPM protection agent.

  • Configures the target computer to receive commands from the specified DPM server name.

  • Configures the firewall to allow incoming communication.

Note

If you are using a language other than English, you can select the localized agent installer from the DPM installation disk at the following location: DPM2007\Agents&lt;language>\ DPMAgentInstaller_AMD64.exe.

To install a DPM protection agent

  1. On the computer where you want to install the protection agent, open a Command Prompt window.

  2. Change directories to the DPM2007\Agents directory, and then type DpmAgentInstaller_AMD64.exe <DPM server name>.

After you have installed the protection agent on the desired server, you need to configure the server running DPM to connect to it. To do that, use the following procedure.

To configure the server running DPM to connect to the protection agent

  1. On the DPM server, start the DPM Management Shell.

  2. Open a Command Prompt window and type Attach-ProductionServer.ps1.

  3. When prompted, enter the following items:

    1. DPM server name

    2. Production server on which the protection agent is installed

    3. User name for an account with domain administrator privileges

    4. Password for the account

    5. Domain name

  4. DPM makes the required configurations to protect the server. The DPM Administrator Console displays the protected server. To display the correct protection agent status, on the Jobs tab, in the Monitoring task area, click Refresh Job.

After you have installed DPM protection agents on your servers running Windows EBS, and you have configured the server running DPM to connect to them, you can monitor and manage the agents. In the DPM Administrator Console, click the Agents tab.

If you want to use the DPM Administrator Console to install protection agents on servers, you should configure your firewall on each server to open the ports listed in the table below.

Protocols and ports used by DPM

Protocol Port Default Configuration Details

DCOM

135/TCP Dynamic

Enabled

The DPM control protocol uses DCOM. DPM issues commands to the protection agent by invoking DCOM calls on the agent. The protection agent responds by invoking DCOM calls on the DPM server.

TCP port 135 is the DCE resolution endpoint that is used by DCOM.

By default, DCOM assigns ports dynamically from the TCP port range of 1024 through 65535. However, you can configure this range by using Component Services. For more information, see "Using Distributed COM with Firewalls" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=46088).

TCP

5718/TCP 5719/TCP

Not enabled

The DPM data channel is based on TCP. Both DPM and the protected computer initiate connections to enable DPM operations such as synchronization and recovery.

DPM communicates with the agent coordinator on port 5718 and with the protection agent on port 5719.

DNS

53/UDP

Enabled

Used between DPM and the domain controller, and between the protected computer and the domain controller, for host name resolution.

Kerberos

88/UDP 88/TCP

Enabled

Used between DPM and the domain controller, and between the protected computer and the domain controller, for authentication of the connection endpoint.

LDAP

389/TCP 389/UDP

Enabled

Used between DPM and the domain controller for queries.

NetBIOS

137/UDP 138/UDP 139/TCP 445/TCP

Enabled

Used between DPM and the protected computer, between DPM and the domain controller, and between the protected computer and the domain controller, for miscellaneous operations. Used for SMB Service that is directly hosted on TCP/IP for DPM functions.

Create DPM protection groups

A DPM protection group is a collection of data sources that share the same protection configuration. Before creating DPM protection groups in your environment, be sure that you complete all the software prerequisites for your servers. You can learn more about these prerequisites in the article "Protected Computer Software Prerequisites" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=105556).

To create DPM protection groups

  1. In DPM Administrator Console, click Protection.

  2. In the Actions pane, click Create. The Create New Protection Group Wizard appears.

  3. Review the Welcome page, and then click Next.

It is recommended that you create separate protection groups for the Management Server, the Security Server, and the Messaging Server. Below are some protection groups that you might want to create to help protect your Windows EBS servers.

Exchange Server

To create a protection group for Exchange Server

  1. In the DPM Create New Protection Group Wizard, select and expand the Messaging Server.

  2. Select the All Exchange Storage Groups check box to add all storage groups to the protection group.

  3. Continue through the wizard pages to choose the name, type, and frequency of backups.

System Center Essentials and Active Directory Domain Services configuration

To create protection groups for System Center Essentials and Active Directory Domain Services

  1. In the Management Server, in the Services console, right-click SQL Server VSS writer, and then click Start.

    Note

    The SQL Server VSS Writer Service is turned on by default on computers running SQL Server 2005.

  2. In the DPM Create New Protection Group Wizard, select and expand the Management Server in Windows EBS.

  3. Select All SQL Servers from the list.

  4. From the All Shares list, select NETLOGON and SYSVOL.

  5. Finish the wizard by using default settings for the remaining items.

SQL Server databases

If you have the Windows EBS Premium Edition installed, you can protect your SQL Server databases by using DPM.

To create protection groups for SQL Server databases

  1. In the server running SQL Server, in the Services console, right-click SQL Server VSS writer, and then click Start.

    Note

    The SQL Server VSS Writer Service is turned on by default on computers running SQL Server 2005.

  2. In the DPM Create New Protection Group Wizard, select and expand the server in Windows EBS that is running SQL Server.

  3. Select All SQL Servers from the list.

  4. Finish the wizard by using default settings for the remaining items.

Protection groups for volumes, shares, and folders

Create other protection groups as necessary for the volumes, shares, and folders in the servers for Windows EBS that you want to protect with DPM.

Perform system state and full system backups by using DPM and Windows Server Backup

If DPM is configured for Windows EBS as described in the preceding sections, DPM provides continuous backup for all Windows EBS applications and volumes. You can optionally use DPM to back up the system state and Windows Server Backup to perform a full system backup of each server for Windows EBS.

  • A system state backup provides extra protection if the system state (such as the configuration of Active Directory Domain Services) becomes corrupted. To back up the system state of a computer running Windows EBS, you must install all of the features of Windows Server Backup. To install all of the features of Windows Server Backup, in a Command Prompt window, type the following command:

    severmanagercmd -install backup –allsubfeatures

  • A full system backup can be used if you need to recover a Windows EBS to new hardware.

For more information about using Windows Server Backup in Windows EBS, see Back Up Using Windows Essential Business Server Tools earlier in this document.